This site uses cookies to deliver our services and to show you relevant ads and job listings.
By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our Terms of Service.
Your use of Stack Overflow’s Products and Services, including the Stack Overflow Network, is subject to these policies and terms.

Join us in building a kind, collaborative learning community via our updated
Code of Conduct.

12 Answers
12

ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one. If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

In beta 1, currently there is no way to define this in info.plist. Solution is to add it manually:

Be aware that you just got rid of Application Transport Security completely, so one major iOS 9 feature is just gone from your app. This is a hack, and I wouldn't be surprised if that hack would get your ap rejected. Adding particular websites to this dictionaries will more likely be allowed.
– gnasher729Jun 10 '15 at 10:11

1

@StevenPeterson You'll only be able to get an entire app excluded on a case-by-case basis by Apple. I assume if Apple blesses your app with this ability, they will instruct you to include this key. Expect Apple to do this rarely.
– mattyoheJun 11 '15 at 18:43

6

Please, please, please, please, please - don't just add the exception to your plist and move on "just because it works". Consider the security of your user's data and implement SSL and other security best practices.
– Santa ClausJun 16 '15 at 5:27

7

@gnasher729, I understand its better to support TLS 1.2, instead of just disabling ATS. However, what can you do if you rely on a 3rd party API/web service. I can't force them to upgrade, so what can I do??
– WoodstockJun 28 '15 at 20:06

6

There is a subtle bug in this answer: NSTemporaryExceptionMinimumTLSVersion must be e.g. TLSv1.0 instead of 1.0, see NSAppTransportSecurity Exception domains dictionary keys
– mbiJan 19 '16 at 17:11

I have only add any luck with the bottom example where you set NSAllowsArbitraryLoads to true. My server is using TLS v1.2 exclusively and I still have to do this to get it to work. Very frustrating.
– ScooterJul 8 '15 at 18:48

So is there any workaround I could use to know for sure my new app will get approved in the App Store, such as a proxy service?
– JoshOct 26 '16 at 21:52

Hopefully this will help someone else. We were having issues connecting to Amazon S3 URLs that appeared to be perfectly valid, TLSv12 HTTPS URLs. Turns out we had to disable NSExceptionRequiresForwardSecrecy to enable another handful of ciphers that S3 uses.

This was my exact problem, and it fixed it instantly! Thank! :)
– Alex ZakSep 30 '15 at 11:05

This solves the problem I had too; different cases may required different settings though. The good news is that he technote also contains info on how to use nsurl to help you find the correct settings in general.
– ecotaxOct 7 '15 at 9:06

I needed to do the same for cloudfront.net if I used a CDN in front of Amazon S3.
– Raymond26Dec 9 '15 at 9:56